Since the board (and the CEO that they put in place) is ultimately responsible for the results of the company, making the CEO responsible shouldn’t be a surprise. A security breach is just one example of a business risk. not just a “technical issue,” so it should be treated in a similar fashion. There are roles like the CISOs, CIOs, CROs that may support the CEO in their efforts to steer the ship, but if the organization runs aground, the highest levels of corporate leadership need to be held accountable — just like they are rewarded for improved corporate performance. Neither scenario is accomplished by the CEO alone.

A data breach can impact customer confidence, stock price, and the company’s reputation for a long time and those are not “technical issues.” Unfortunately, it is not a matter of “if” but “when” a security incident will occur so a formal effort must be expended to anticipate, detect, develop contingency plans to limit, and correct the situation when it occurs, as quickly and effectively as possible, reducing the impact on the customers as well as the organization itself.